b'      Department of Homeland Security\n\n\n\n\n            U.S. Customs and Border Protection \n\n                    Privacy Stewardship \n\n\n\n\n\nOIG-12-78                                          April 2012\n\n\x0cApril 30, 2012\n\x0cTable of Contents/Abbreviations\nExecutive Summary .............................................................................................................1\n\n\nBackground ..........................................................................................................................2\n\n\nResults of Audit ...................................................................................................................5\n\n\n     CBP Needs To Strengthen Its Organizational Approach to Privacy .............................5\n\n\n     CBP Needs To Improve Compliance With Privacy Requirements ...............................7\n\n\n     Stronger Measures Needed To Protect CBP Employee Social Security Numbers......10\n\n\n     Survey Respondents Suggest Improvements to Privacy Safeguards ...........................13\n\n\n     Recommendations........................................................................................................14\n\n\n     Management Comments and OIG Analysis ................................................................14\n\n\nAppendices\n     Appendix A: Purpose, Scope, and Methodology.......................................................16\n\n     Appendix B: Management Comments to the Draft Report .......................................17\n\n     Appendix C: Legislation, Memoranda, Directives, and Guidance\n\n                 Related to CBP Privacy Stewardship Audit ........................................21\n\n     Appendix D: Component-Level Privacy Officer Designation and Duties ................23\n\n     Appendix E: CBP Culture of Privacy Survey ...........................................................24\n\n     Appendix F: CBP Privacy Compliance Status..........................................................27\n\n     Appendix G: Inconsistencies Between Records Retention Schedules Published in \n\n                 System of Records Notices and Internal Guidance .............................34\n\n     Appendix H: DHS Fair Information Practice Principles at Work .............................35\n\n     Appendix I: Major Contributors to this Report........................................................37\n\n     Appendix J: Report Distribution ..............................................................................38\n\n\nAbbreviations\n     CBP                   U.S. Customs and Border Protection\n\n     DHS                   Department of Homeland Security\n\n     FEMA                  Federal Emergency Management Agency\n\n     ICE                   U.S. Immigration and Customs Enforcement\n\n     OIG                   Office of Inspector General\n\n     OMB                   Office of Management and Budget\n\n     PII                   personally identifiable information\n\n     TECS                  formerly Treasury Enforcement Communications System\n\n     TSA                   Transportation Security Administration\n\n     USCIS                 U.S. Citizenship and Immigration Services\n\n\x0cOIG\n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                We performed an audit of U.S. Customs and Border Protection\xe2\x80\x99s\n                (CBP) privacy stewardship. Our audit objectives were to determine\n                whether CBP\xe2\x80\x99s plans and activities instill a culture of privacy that\n                protects sensitive personally identifiable information and whether\n                CBP ensures compliance with Federal privacy laws and regulations.\n\n                CBP has made limited progress toward instilling a culture of\n                privacy that protects sensitive personally identifiable information.\n                This is in part because it has not established a strong organizational\n                approach to address privacy issues across the component. To\n                strengthen its organizational approach to privacy, CBP needs to\n                establish an Office of Privacy with adequate resources and staffing\n                and hold Assistant Commissioners and Directors accountable for\n                their employees\xe2\x80\x99 understanding of and compliance with their\n                privacy responsibilities.\n\n                In addition, CBP needs to improve its compliance with Federal\n                privacy laws and regulations. Specifically, it needs to develop a\n                complete inventory of its personally identifiable information\n                holdings, complete privacy threshold analyses for all systems, and\n                develop accurate system of records notices for its systems. CBP\n                also needs to ensure that privacy impact assessments are conducted\n                for all personally identifiable information systems.\n\n                CBP also needs to implement stronger measures to protect employee\n                Social Security numbers. Without a component-wide approach to\n                minimizing the collection of employee Social Security numbers,\n                privacy incidents involving these numbers will continue to occur.\n\n                Respondents to our privacy survey provided thousands of\n                suggestions on how CBP can better instill a culture of privacy. We\n                are making three recommendations to the Acting Commissioner of\n                CBP.\n\n\n\n\n                U.S. Customs and Border Protection Privacy Stewardship\n\n                                       Page 1\n\x0cBackground\n             The Privacy Act of 1974, as amended (Privacy Act) imposes\n             various requirements on agencies whenever they collect, use,\n             maintain, or disseminate personally identifiable information (PII)\n             in a system of records. The Department of Homeland Security\n             (DHS) defines PII as any information that permits the identity of\n             an individual to be inferred directly or indirectly, including any\n             information that can be linked to that individual regardless of\n             whether the individual is a U.S. citizen, lawful permanent resident,\n             visitor to the United States, employee, or contractor to the\n             Department. Federal laws, regulations, directives, and guidelines\n             set the minimum standards for handling PII. Appendix C lists\n             Federal privacy laws and policies related to CBP privacy\n             stewardship.\n\n             CBP secures the Nation\xe2\x80\x99s borders, protects the public against\n             terrorists, and facilitates the flow of legitimate international trade\n             and travel. To accomplish CBP\xe2\x80\x99s mission, different groups of CBP\n             employees may collect, use, maintain, or process PII on a daily\n             basis, as shown in figure 1.\n\n\n\n\n             Figure 1. U.S. Customs and Border Protection Employee Groups\n\n             The Office of Border Patrol and the Office of Field Operations\n             account for almost 85 percent of CBP\xe2\x80\x99s employees. These offices\n             may handle a significant volume of PII. For example, more than\n             20,000 border agents collect, handle, share, or maintain PII to\n             secure 6,900 miles of border with Canada and Mexico, as well as\n             95,000 miles of shoreline. In fiscal year 2010, more than 23,000\n             field officers and specialists at ports of entry collected, handled,\n             shared, or maintained PII related to more than 350 million\n             travelers, 105 million conveyances (cars, trucks, buses, trains,\n             vessels, and aircraft), and 24 million truck, rail, and sea containers.\n             CBP employees use 46 information technology systems that\n             maintain Social Security numbers, biometric data, and financial\n             information. For example, one system stores more than 35\n             U.S. Customs and Border Protection Privacy Stewardship\n\n                                    Page 2\n\x0c                              terabytes of PII 1 Figure 2 shows examples of PII that CBP collects\n                              from data owners and stores in different systems.\n\n                                                                From Whom             What Personally Identifiable\n                                       CBP System\n                                                                  Or What            Information May Be Collected\n                                                                                 name, date of birth, address, gender,\n                                TECS System: CBP                                 citizenship, Social Security number,\n                                                                                 phone number, occupation, photo,\n                                Primary and Secondary Traveler                   fingerprint ID number, driver\xe2\x80\x99s license\n                                Processing                                       data, vehicle information, dates and\n                                                                                 method of arrival/departure\n\n                                                              Traveler           list of passengers and crew on flight,\n                                Automated Targeting                              passenger name records that include\n                                                              Conveyance         name, address, flight, seat number,\n                                System\n                                                              Cargo              cargo destination, and account data\n                                Automated Commercial          Broker             name, date of birth, address, gender,\n                                System/                       Carrier            citizenship, driver license data, travel\n                                Automated Commercial          Importer           document data, destination, account\n                                Environment                   Cargo              data, electronic manifests\n                                                                                 name, date of birth, gender,\n                                Advanced Passenger                               citizenship, passport information,\n                                Information System/           Passenger          travel document type, U.S. address for\n                                Non-Immigrant                 Crew               foreign nationals, passenger name\n                                Information System                               records, pilot license, country of issue\n                                                                                 for aircrew\n\n                              Figure 2. Types of Personally Identifiable Information Collected by CBP\n\n                              A component\xe2\x80\x99s culture of privacy reflects how well its executive\n                              leadership, managers, and employees understand, implement, and\n                              enforce a commitment to protect privacy. Privacy stewardship, or\n                              the promotion of an effective culture of privacy, leads to embedded\n                              shared attitudes, values, goals, and practices for complying with\n                              the requirements for proper handling of PII. A component privacy\n                              office can help enhance the culture of privacy by identifying\n                              privacy issues and working within the component to address them.\n\n                              An effective culture of privacy supports ongoing risk assessment,\n                              assurance that appropriate safeguards are followed to protect\n                              individual PII and full sustainment of privacy compliance. Serious\n                              consequences to PII can result if CBP does not regularly assess and\n                              confirm whether PII is secure in its information technology\n                              systems. For example, a data breach of a major information\n                              technology system has been estimated to cost an average of $213\n                              per record to resolve each privacy incident. 2 Given the significant\n                              volume and critical nature of the 1.2 million records containing\n                              traveler\xe2\x80\x99s identity information generated in CBP\xe2\x80\x99s TECS (formerly\n\n1\n  A terabyte is a unit of measurement for digital information that is equivalent to 1 trillion bytes. One terabyte is\nequivalent to the information stored in a large public library. Therefore, 35 terabytes are equivalent to 35 large public\nlibraries.\n2\n  According to the Ponemon Institute 2010 Annual Study: U.S. Cost of a Data Breach, March 2011, data breaches cost\nan average of $213 per compromised record, which includes the costs of investigating the breach, preparing breach\nnotifications, and providing credit monitoring to affected individuals.\n\n                             U.S. Customs and Border Protection Privacy Stewardship\n\n                                                         Page 3\n\x0c                             the Treasury Enforcement Communications System) in a single\n                             day, a data breach could cost $255.6 million. By complying with\n                             privacy requirements, including risk assessment and mitigation,\n                             CBP would be able to perform its mission while minimizing\n                             negative impact on individual privacy.\n\n                             On June 5, 2009, the DHS Deputy Secretary issued the DHS\n                             Memorandum Designation of Component Privacy Officers (DHS\n                             Designation Memorandum), directing 10 components, including\n                             CBP, to designate senior-level Federal employees as their full-time\n                             Privacy Officers. CBP selected a Branch Chief under the Office of\n                             International Trade as the Privacy Officer, but decided to retain his\n                             existing organizational placement. CBP responded to the DHS\n                             Deputy Secretary that this placement would \xe2\x80\x9ccomply, substantially,\n                             with\xe2\x80\xa6[the DHS Designation Memorandum]\xe2\x80\xa6as well as with the\n                             constraints imposed upon CBP by both the Homeland Security Act\n                             of 2002 and the Security and Accountability for Every Port Act of\n                             2006 (SAFE Port Act).\xe2\x80\x9d 3 The selected Privacy Officer continues\n                             to perform the full-time responsibilities as one of the many Branch\n                             Chiefs in the Office of International Trade.\n\n                             The DHS Designation Memorandum requires the component\n                             Privacy Officers to report to the head of the component. When\n                             acting as the CBP Privacy Officer, he reports through the Assistant\n                             Commissioner of the Office of International Trade to the\n                             Commissioner. Figure 3 illustrates the organizational placement of\n                             the two distinct positional responsibilities and respective\n                             information flow, one as the Privacy Officer (blue box and dotted\n                             line to show informal information flow) and another as the Branch\n                             Chief (green box and solid line to show his formal reporting line).\n\n\n\n\n3\n  The SAFE Port Act mandated compliance with Section 412(b) of the Homeland Security Act that required legacy\nU.S. Customs revenue functions to continue under the newly established DHS, to include the specific allocation of staff\nin trade facilitation. Therefore, the staff of the Office of International Trade inherited the mandatory staffing\nrequirements because they facilitate CBP\xe2\x80\x99s compliance with the SAFE Port Act.\n\n                            U.S. Customs and Border Protection Privacy Stewardship\n\n                                                        Page 4\n\x0c                 Figure 3. Privacy Officer Placement and Reporting\n\n\n\nResults of Audit\n\n     CBP Needs To Strengthen Its Organizational Approach to Privacy\n          CBP has made limited progress toward instilling a culture of privacy. This\n          is in part because it has not established a strong organizational approach to\n          address privacy issues across the component. CBP designated one of its\n          senior officials as its Privacy Officer in July 2009. As indicated in figure\n          3, his assignment is collateral with his responsibilities as Branch Chief,\n          limiting his ability to address fully the wide array of duties described in\n          the DHS Designation Memorandum. (See appendix D for a complete list\n          of duties required of component Privacy Officers.)\n\n          For example, CBP has not issued a privacy directive outlining an\n          organizational approach to ensure proper handling of PII and a strategic\n          vision on privacy matters. Such a directive would formally hold Assistant\n          Commissioners and Directors accountable for their employees\xe2\x80\x99\n          understanding of and compliance with all Federal privacy laws and\n          regulations. The strategic vision would support managers and staff in\n          working closely with the Privacy Officer and including him in all\n          management strategy meetings and operational planning that could affect\n          privacy. The Privacy Officer is best situated to identify the privacy issues\n          related to CBP\xe2\x80\x99s mission and work with managers on how best to\n\n                 U.S. Customs and Border Protection Privacy Stewardship\n\n                                        Page 5\n\x0cimplement DHS privacy policies into their specific operations. By\nimplementing a privacy directive, CBP would improve the presence and\neffectiveness of the CBP Privacy Officer and the extent to which he can\nperform essential duties, such as the following:\n\n   \xe2\x80\xa2\t Monitoring the component\xe2\x80\x99s compliance with all Federal privacy\n      laws and regulations; implementing corrective, remedial, and\n      preventive actions; and, notifying the DHS Privacy Office of\n      privacy issues or noncompliance when necessary;\n   \xe2\x80\xa2\t Assisting in drafting and reviewing privacy threshold analyses,\n      privacy impact assessments, and system of records notices, as well\n      as any associated privacy compliance documentation; and,\n   \xe2\x80\xa2\t Implementing and monitoring privacy safeguards, including\n      training, for employees and contractors.\n\nAlso according to the DHS Designation Memorandum, components are to\nprovide their Privacy Officers with adequate support and resources. CBP,\nhowever, has provided staff members to manage on a part-time basis a\nprivacy program for the 58,000 employees who handle PII. Other DHS\ncomponents\xe2\x80\x94including the Federal Emergency Management Agency\n(FEMA), United States Immigration and Customs Enforcement (ICE),\nTransportation Security Administration (TSA), and United States\nCitizenship and Immigration Services (USCIS)\xe2\x80\x94support their respective\nprivacy programs with anywhere from 3 to 13 full-time staff. Figure 4\nshows the components that have issued privacy directives or policies to\nhold formally their managers accountable for their operations\xe2\x80\x99 compliance\nwith privacy requirements.\n\n                Est. # Employees\n                                        Formally Established    # Staff Provided for\n Component     Handling Personally\n                                      Management Accountability    Privacy Office\n             Identifiable Information\n\n                    58,000                      No                 11 (collateral\n CBP\n                                                                       duty)\n FEMA                7,000                     Yes                        8\n ICE                13,000                     Yes                        5\n TSA                20,000                     Yes                        3\n USCIS              18,000                     Yes                       13\n\nFigure 4. Comparable DHS Component Privacy Offices\n\nWe conducted a survey of CBP\xe2\x80\x99s culture of privacy to assess privacy\nknowledge and obtain responses on three questions regarding privacy risks\nand integrating privacy into daily operations. (See appendix E for the\nsurvey methodology, details, and results.) More than 650 responses\naddressed the need for CBP to provide a shared strategic vision on privacy\nmatters. Almost 800 responses indicated that managers can improve\n\n       U.S. Customs and Border Protection Privacy Stewardship\n\n                                Page 6\n\x0c                   privacy stewardship. CBP officials whom we interviewed said that more\n                   resources and management accountability are needed to ensure that CBP\n                   has an effective privacy program. As discussed in the following sections,\n                   CBP continues to face challenges in ensuring the protection of PII across\n                   the component.\n\n         CBP Needs To Improve Compliance With Privacy Requirements\n                   CBP needs to improve its overall compliance with Federal privacy laws\n                   and regulations. Specifically, CBP needs to develop a complete inventory\n                   of all of its holdings of PII. In addition, CBP needs to conduct privacy\n                   threshold analyses to identify all systems that affect privacy. 4 Further,\n                   CBP needs to ensure that published system of records notices accurately\n                   reflect employee practices in handling the public\xe2\x80\x99s PII. Finally, CBP\n                   needs to perform privacy impact assessments for its systems.\n\n                             Inventory of Holdings for Personally Identifiable Information\n                             Is Not Complete\n\n                             CBP\xe2\x80\x99s inventory of its holdings for PII is not complete. Office of\n                             Management and Budget (OMB) M-07-16 requires agencies to\n                             review their holdings of all PII and ensure that they are accurate,\n                             relevant, timely, and complete. Holdings for PII include systems,\n                             programs, and records that are privacy sensitive.\n\n                             CBP cannot confirm the collection, location, and status of all of its\n                             PII. For its inventory of holdings for PII, CBP has relied on an\n                             electronic system, Trusted Agent Federal Information Security\n                             Management Act (Trusted Agent). Trusted Agent tracks only\n                             general support information technology systems and major\n                             applications. 5 General support information technology systems\n                             and major applications do not include other subsystems, modules,\n                             applications, programs, or records that collect, use, disseminate, or\n                             maintain personally identifiable information. Therefore, Trusted\n                             Agent does not contain a complete inventory of holdings for\n                             personally identifiable information.\n\n\n\n4\n  For this report, we use \xe2\x80\x9csystem\xe2\x80\x9d to refer to a system of records as well as information technology systems (e.g.,\nsubsystems, modules, applications), programs, rule-making, or technology that may be sensitive to privacy. A system\nof records may be paper-based or electronic. A system of records is a group of any records about an individual under\nagency control from which information is retrieved by that individual\xe2\x80\x99s name, identifying number, symbol, or other\nidentifying particular assigned to the individual.\n5\n  Trusted Agent is a software application that the DHS Office of the Chief Information Officer uses to comply with the\nFederal Information Security Management Act of 2002. DHS uses Trusted Agent to track major systems, including\nthose that affect privacy. Components retain certain privacy compliance documentation along with security\ndocumentation in Trusted Agent.\n\n                            U.S. Customs and Border Protection Privacy Stewardship\n\n                                                        Page 7\n\x0cCBP\xe2\x80\x99s information technology staff is responsible for tracking and\nupdating documentation for the 101 major information technology\nsystems in Trusted Agent. Figure 5 shows how CBP has\ncategorized the privacy status of these information technology\nsystems.\n\n   Number of systems in inventory of personally\n                                                                 47\n   identifiable information\n   Number of information technology systems without\n                                                                 54\n   personally identifiable information in inventory\n   Total number of systems in Trusted Agent inventory           101\nFigure 5. Trusted Agent Inventory\nSource: DHS Privacy Office, Trusted Agent, and CBP records, as of July 15,\n2011.\n\nIn addition, CBP has not accounted for all of its systems. Through\nanalysis of the Trusted Agent inventory, reports from the DHS\nPrivacy Office, and CBP\xe2\x80\x99s Intranet website, as well as information\ngathered from interviews, we determined that there are at least 48\npotential systems that are in neither Trusted Agent nor the CBP\nPrivacy Officer\xe2\x80\x99s inventory list. Examples include systems to\ntrack cargo, intellectual property rights, passenger screening, and\nprivate aircraft. (See appendix F for information on CBP\xe2\x80\x99s\nsystems.) Because it has not identified all of its systems, CBP\ncannot ensure that effective privacy protections and mitigation of\nprivacy risks for its systems, programs, and records have been\nimplemented.\n\nPrivacy Threshold Analyses Not Performed\n\nCBP has not conducted privacy threshold analyses for all of its\nsystems. The DHS Privacy Office requires component program\nmanagers to submit a privacy threshold analysis every three years,\nwhen significantly changing existing systems, or when proposing\nnew systems of records. The privacy threshold analysis is used to\nidentify the systems that affect privacy.\n\nMore than 70 percent (71 of 101) of CBP\xe2\x80\x99s systems need privacy\nthreshold analyses. Specifically, 32.7 percent (33 of 101) of\nsystems in Trusted Agent still require privacy threshold analyses,\nand 37.6 percent (38 of 101) of systems have expired privacy\nthreshold analyses that need to be updated. Only 29.7 percent (30\nof 101) of CBP privacy threshold analyses are current. In addition,\nthere are 48 potential systems that need privacy threshold analyses.\n(See appendix F for status.) Once CBP submits a privacy\nthreshold analysis, the DHS Privacy Office determines whether\n\nU.S. Customs and Border Protection Privacy Stewardship\n\n                       Page 8\n\x0c                              (a) the activity involves PII, (b) a privacy impact assessment is\n                              required, and (c) an existing or new system of records notice is\n                              required for a collection of PII.\n\n                              System of Records Notices\n                              CBP has not developed system of records notices for all of its\n                              systems, as required by the Privacy Act. Specifically, 22.7 percent\n                              (10 of 44) of CBP\xe2\x80\x99s systems do not have system of records notices.\n                              The Privacy Act requires Federal agencies to issue a notice for all\n                              systems of records under their control that collect personally\n                              identifiable information and from which information is retrieved\n                              by a unique identifier. The system of records notices provide to\n                              the public the rights and procedures for accessing and correcting\n                              personally identifiable information maintained by an agency on an\n                              individual. 6\n                              In addition, all of CBP\xe2\x80\x99s published system of records notices for\n                              the remaining 34 (of 44) systems contain inconsistent information\n                              regarding the 26 types of records that they describe. For example,\n                              some records are being disposed of before the dates specified in\n                              their respective system of records notices. Other records are being\n                              held longer than the times identified in their respective system of\n                              records notices. According to the Privacy Act, information in the\n                              system of records notices must accurately describe how\n                              Government employees are handling the public\xe2\x80\x99s PII. (See\n                              appendix G for additional information on inconsistencies between\n                              CBP system of records notices and internal guidance.)\n\n                              Privacy Impact Assessments Are Not Performed\n\n                              CBP has not conducted privacy impact assessments for all of its\n                              systems. The E-Government Act of 2002 requires agencies to\n                              conduct privacy impact assessments for all new or substantially\n                              changed information systems that collect, maintain, or disseminate\n                              PII. The privacy impact assessment process is a decision-making\n                              tool that requires pertinent information for analysis to ensure that\n                              privacy protections are incorporated during the development and\n                              operation of systems and programs that affect personally\n                              identifiable information.\n\n\n\n6\n  System of Records Notices are published in the Federal Register to inform the public about what personally\nidentifiable information is being collected, why it is being collected, how long it is being retained, and how it will be\nused, shared, accessed, and corrected. The Federal Register is the official daily publication for rules, proposed rules,\nand notices of Federal agencies and organizations, as well as executive orders and other presidential documents, and is\npublished by the Office of the Federal Register, National Archives and Records Administration.\n\n                             U.S. Customs and Border Protection Privacy Stewardship\n\n                                                         Page 9\n\x0c            Although the DHS Privacy Office required privacy impact\n            assessments for 31 of CBP\xe2\x80\x99s systems, 58.1 percent (18 of 31) of\n            these systems still do not have them, as indicated in figure 6. Only\n            41.9 percent (13 of 31) of the systems have approved privacy\n            impact assessments that are posted on the DHS Privacy Office\n            website. In addition, as identified in the section regarding privacy\n            threshold analyses, 48 systems may need privacy impact\n            assessments, as well.\n\n              Number of systems with completed privacy impact\n                                                                            13\n              assessments\n              Number of systems without privacy impact assessments          18\n              Total number of systems that require privacy impact\n              assessments\n                                                                            31\n\n            Figure 6. Status of Privacy Impact Assessments\n            Source: DHS Privacy Office, Trusted Agent, and CBP records and interviews,\n            as of July 15, 2011.\n\nStronger Measures Needed To Protect CBP Employee Social\nSecurity Numbers\n     CBP has not taken appropriate measures to protect its employees\xe2\x80\x99 Social\n     Security numbers. In June 2007, the Office of Personnel Management\n     issued guidance and instructions for agencies to eliminate the unnecessary\n     use of employee numbers as identifiers and to strengthen the protection of\n     employee Social Security numbers from theft or loss. However, CBP has\n     not implemented component-wide measures to eliminate the unnecessary\n     collection of employee Social Security numbers on electronic and paper\n     forms, nor has it employed effectively alternative identifiers. Without\n     implementing such measures, CBP increases the risk that employee Social\n     Security numbers will be lost or stolen.\n\n            Unprotected Social Security Numbers on Electronic and Paper\n            Forms\n\n            CBP has not implemented sufficient measures to protect Social\n            Security numbers in information systems or on paper forms. DHS\n            Privacy Policy Guidance Memorandum 2007-02 Regarding the\n            Use of Social Security Numbers at DHS allows programs to\n            collect, use, maintain, and disseminate Social Security numbers as\n            unique identifiers only when required by statute or regulation.\n            Absent a legal requirement, DHS programs are to create their own\n            unique identifiers to identify or link information about individuals.\n\n            Although CBP posted DHS Memorandum 2007-02 on its Intranet\n            site for the Training Records And Enrollment Network, it\n\n           U.S. Customs and Border Protection Privacy Stewardship\n\n                                  Page 10\n\x0c                            maintains training records for more than 58,000 employees and\n                            continues to collect, store, and track employee Social Security\n                            numbers for course enrollments. According to CBP officials, the\n                            current training network was designed to use employees\xe2\x80\x99 Social\n                            Security numbers as unique identifiers. To correct this oversight\n                            and improve the functionality of the system, a new training\n                            network is being developed that does not use employees\xe2\x80\x99 Social\n                            Security numbers as unique identifiers.\n\n                            In addition, TECS is a system that supports enforcement and\n                            inspection operations by tracking and processing data on suspect\n                            individuals, businesses, vehicles, aircraft, and vessels entering the\n                            United States by air, land, or sea. TECS data are maintained and\n                            updated by more than 58,000 CBP employees, as well as another\n                            12,000 employees in more than 20 Federal agencies. TECS\n                            maintains a history or log of employee user activities. When we\n                            viewed various logs on TECS screens, we were able to see the\n                            names and Social Security numbers of the employees who\n                            collected, accessed, and maintained TECS information.7 The same\n                            screens with employee Social Security numbers can be viewed by\n                            TECS users at ports of entry, bridges, land borders, and in field\n                            offices and vehicles. CBP is currently modernizing TECS. As\n                            part of this effort, CBP will implement new procedures to protect\n                            employee Social Security numbers.\n\n                            Finally, CBP has not minimized the collection of employee Social\n                            Security numbers on all of its administrative paper forms. Most of\n                            these forms require only names, partial Social Security numbers,\n                            alternative identifiers, or Social Security numbers for financial and\n                            security reasons. However, we also identified forms that require\n                            employees to provide their complete Social Security numbers\n                            without identifying any legal authority for them. For example, we\n                            found forms requiring employees\xe2\x80\x99 complete Social Security\n                            numbers regarding canines, personal clothing, and equipment.\n\n                            Insufficient Use of Alternative Identifiers\n\n                            OMB M-07-16 states that agencies should explore alternatives to\n                            the use of Social Security numbers as personal identifiers for\n                            Federal employees. Since 2007, CBP has been issuing \xe2\x80\x9cHASH-\n                            IDs\xe2\x80\x9d to comply with OMB guidance, but has not required their use\n                            to replace Social Security numbers. 8 According to CBP officials,\n                            HASH-IDs cannot be required component-wide because they are\n\n7\n  TECS also contains the public\xe2\x80\x99s Social Security numbers. Additional information is provided about TECS on pp. \n\n3\xe2\x80\x934 of this report.\n\n8\n  A HASH-ID is a unique identifier for each CBP employee.\n\n\n                           U.S. Customs and Border Protection Privacy Stewardship\n\n                                                     Page 11\n\x0cnot supported by all information technology systems, such as the\nTraining Records And Enrollment Network. By continuing to use\nemployee Social Security numbers, CBP places them at an\nunnecessary risk of disclosure.\n\nPrivacy Incidents Concerning Social Security Numbers\n\nWithout a strong approach to minimizing the collection of\nemployee Social Security numbers and implementing effective\nmeasures to protect them, privacy incidents involving employees\xe2\x80\x99\nSocial Security numbers continue to occur. For example, as\nreported by CBP to the DHS Security Operations Center during a\n2-year period (2009 to 2010)\xe2\x80\x94\n\n     \xe2\x80\xa2\t An e-mail containing Social Security numbers for 75\n        individuals was sent to 13 other employees who had no\n        need to know this information.\n     \xe2\x80\xa2\t A personal digital camera was used to take a picture of a\n        computer monitor that displayed the names, Social Security\n        numbers, and dates of birth of 33 airport employees.\n     \xe2\x80\xa2\t An e-mail containing the Social Security number of an\n        employee was sent to two FEMA employees who were not\n        intended to receive the e-mail.\n     \xe2\x80\xa2\t Three unencrypted DVDs containing Social Security\n        numbers were sent to a new duty location using a\n        commercial delivery service.\n\nIn addition, respondent comments to our culture of privacy survey\nidentified two common situations that we confirmed at CBP work\nlocations in which employee Social Security numbers had been\nplaced at risk unnecessarily. First, some supervisors and\nemployees have left paper copies of forms with employee Social\nSecurity numbers in unattended areas where someone from the\npublic would have access, such as on the front desk of a reception\narea. Second, some supervisors and staff have verbally disclosed\nemployee Social Security numbers in open areas of offices within\nearshot of people who would normally not have access to or a\n\xe2\x80\x9cneed to know\xe2\x80\x9d PII. Without implementing measures to minimize\nand protect the use of employees\xe2\x80\x99 Social Security numbers, CBP is\nincreasing the risk that employee PII will be lost or stolen.\n\n\n\n\nU.S. Customs and Border Protection Privacy Stewardship\n\n                       Page 12\n\x0cSurvey Respondents Suggest Improvements to Privacy\nSafeguards\n     The Privacy Act requires that agencies implement administrative,\n     physical, and technical safeguards to ensure the security and\n     confidentiality of records. In addition, these safeguards should protect\n     against any anticipated threats or hazards that could result in substantial\n     harm to individuals from whom information is collected. More than\n     40 percent (2,907 of 7,229) of written comments by respondents to CBP\xe2\x80\x99s\n     culture of privacy survey related to improving privacy safeguards.\n\n     Employees provided 817 comments or suggestions concerning privacy\n     training. These comments included the need for CBP to\xe2\x80\x94\n\n        \xe2\x80\xa2\t Provide in-person, instructor-led training at field sites (346);\n        \xe2\x80\xa2\t Provide more frequent training (232);\n        \xe2\x80\xa2\t Incorporate on-the-job and real-world examples related to different\n           programs and operations (85);\n        \xe2\x80\xa2\t Improve training of contractors who work in areas where PII is\n           handled (74);\n        \xe2\x80\xa2\t Develop specialized privacy training for particular groups, such as\n           new employees, supervisors, and executive managers (49); and\n        \xe2\x80\xa2\t Simplify the presentation and concepts during privacy training, so\n           they can be applied more easily to daily operations (31).\n\n     Employees also provided 552 comments or suggestions on improving\n     other administrative safeguards. These comments included the need for\n     CBP to\xe2\x80\x94\n\n        \xe2\x80\xa2\t Consolidate forms and databases to reduce duplication of PII (381);\n        \xe2\x80\xa2\t Enforce existing DHS policies on protecting PII, such as\n           conducting internal audits to determine compliance with required\n           safeguards on the job (155); and\n        \xe2\x80\xa2\t Conduct thorough background checks of employees and\n           contractors who are responsible for handling PII (16).\n\n     In addition, employees provided 734 comments or suggestions on\n     improving physical safeguards. These comments included the need for\n     CBP to\xe2\x80\x94\n\n        \xe2\x80\xa2\t Adjust layout of work areas to improve the protection of PII (211);\n        \xe2\x80\xa2\t Supply drawers or bins to secure PII (192);\n        \xe2\x80\xa2\t Provide locks on cabinets and containers to secure PII (133);\n\n\n           U.S. Customs and Border Protection Privacy Stewardship\n\n                                  Page 13\n\x0c   \xe2\x80\xa2\t Provide privacy screens or adjust the placement of monitors to\n      prevent onlookers from seeing PII (93);\n   \xe2\x80\xa2\t Address general issues related to physical safeguards (78); and\n   \xe2\x80\xa2\t Improve physical barriers to prevent unauthorized persons from\n      accessing government computers (27).\n\nFinally, employees provided 804 comments or suggestions on improving\ntechnical safeguards. These comments included the need for CBP to\xe2\x80\x94\n   \xe2\x80\xa2\t Enforce consistent application of password protection and \n\n      encryption (481); \n\n   \xe2\x80\xa2\t Establish limitations on access to databases (142);\n   \xe2\x80\xa2\t Implement technical solutions to prevent unauthorized access to\n      data on personal electronic devices and removable storage media\n      (88);\n   \xe2\x80\xa2\t Address general issues related to technical safeguards (74); and\n   \xe2\x80\xa2\t Consider automated alerts and pop-ups to prompt users to protect\n      PII (19).\n\n\nRecommendations\n      We recommend that the Acting Commissioner of CBP:\n\n      Recommendation #1: Establish an Office of Privacy with adequate\n      resources and staffing to ensure that CBP is able to fulfill its\n      privacy responsibilities.\n\n      Recommendation #2: Issue a directive that holds Assistant\n      Commissioners and Directors accountable for their employees\xe2\x80\x99\n      understanding of and compliance with their privacy responsibilities.\n\n      Recommendation #3: Implement stronger measures to protect\n      employee Social Security numbers and minimize their use.\n\nManagement Comments and OIG Analysis\n      We obtained written comments on a draft of this report from the\n      Assistant Commissioner of CBP\xe2\x80\x99s Office of Internal Affairs. A\n      copy of the comments is in appendix B.\n\n      CBP concurred with recommendation #1. CBP\xe2\x80\x99s Acting\n      Commissioner issued a memorandum entitled \xe2\x80\x9cPrivacy Compliance\n      and U.S. Customs and Border Protection,\xe2\x80\x9d dated February 10,\n      2012. CBP indicated that it: (a) recognizes the expansion of its\n      privacy role from that previously defined in the Deputy Secretary\xe2\x80\x99s\n      U.S. Customs and Border Protection Privacy Stewardship\n\n                             Page 14\n\x0cMemorandum, dated June 9, 2009, to include the review of\ninformation sharing activities as part of its privacy compliance\nrole; (b) identifies its Privacy Office and associated staff as the\nattorney staff that has been assigned to the Office of International\nTrade since March 2003; and, (c) confirms that the identified staff\npositions remain assigned to the Office of International Trade to\nmeet the Homeland Security Act of 2002 and the SAFE Ports Act\nof 2006. We consider recommendation #1 open and unresolved,\npending our review of documentation regarding the allocation of\nadequate resources and staffing to ensure that CBP is able to fulfill\nits privacy responsibilities.\n\nCBP concurred with recommendation #2. CBP\xe2\x80\x99s Acting\nCommissioner issued a memorandum to all Assistant\nCommissioners, the Chief of the Border Patrol, Chief Counsel, and\nall Executive Directors, entitled \xe2\x80\x9cPrivacy Compliance and U.S.\nCustoms and Border Protection,\xe2\x80\x9d dated February 10, 2012, which\ndisseminates the DHS Privacy Policy and Compliance Directive\nand Instructions, dated July 2011, for departmental guidance on\nprivacy compliance. CBP indicated that both documents expand\nthe privacy mission to include a role in reviewing information\nsharing activities. We consider recommendation #2 open and\nunresolved, pending our review of documentation that establishes\naccountability of Assistant Commissioners and Directors for their\nemployees\xe2\x80\x99 understanding of and compliance with their privacy\nresponsibilities.\n\nCBP concurred with recommendation #3. CBP indicated that it\nhas started implementation of a multi-year TECS Modernization\nPlan for the removal of Social Security numbers as user\nidentification and a general visible identifier for TECS users and\nrecords owners. According to CBP, charges started with web\napplications for 30 internal CBP users in November 2011 and will\ncontinue with 12 external DHS users scheduled for March 2012.\nCBP indicates that TECS Modernization plans include\nfunctionality to remove the use of supervisor Social Security\nnumbers from approval functions, affecting 8,000 users by March\n2013. We consider recommendation #3 open and unresolved,\npending our review of documentation regarding implementation of\nstronger measures to protect employee Social Security numbers\nand minimize their use.\n\n\n\n\nU.S. Customs and Border Protection Privacy Stewardship\n\n                       Page 15\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n                   Our objectives were to determine whether CBP has plans and\n                   activities that instill a culture of privacy that protects sensitive\n                   personally identifiable information and ensure compliance with\n                   Federal privacy laws and regulations. As background for this\n                   audit, we reviewed Federal laws and guidance related to CBP\xe2\x80\x99s\n                   responsibilities for privacy protections. We interviewed officials\n                   from the DHS Privacy Office on component privacy reporting.\n                   We reviewed testimonies, documentation, and reports related to\n                   CBP\xe2\x80\x99s privacy, information technology security, and program\n                   management.\n                   In addition to interviewing CBP\xe2\x80\x99s Privacy Officer, we interviewed\n                   60 program managers, officers, and information system security\n                   professionals at CBP headquarters and field sites. We e-mailed a\n                   survey to CBP employees to obtain their recommendations for\n                   improving their understanding of privacy and for an indication of\n                   their privacy knowledge. We received 7,229 individual comments\n                   on privacy risks, integrating privacy in daily operations, and\n                   challenges in CBP privacy stewardship. (See appendix E for\n                   details.)\n                   We reviewed the privacy-related duties and activities performed by\n                   the CBP Privacy Officer, Records Officer, Training Office, and field\n                   personnel. We analyzed training programs and their content, as well\n                   as guidance on information technology and records management to\n                   determine whether they met the requirements of Federal privacy and\n                   security laws and regulations. We reviewed privacy threshold\n                   analyses, privacy impact assessments, and system of records notices\n                   for 47 systems identified in Trusted Agent that contain personally\n                   identifiable information and identified additional systems.\n                   Our analysis is based on direct observation, review of applicable\n                   documentation, and interviews. We conducted this performance\n                   audit between April and November 2011 pursuant to the Inspector\n                   General Act of 1978, as amended, and according to generally\n                   accepted government auditing standards. Those standards require\n                   that we plan and perform the audit to obtain sufficient, appropriate\n                   evidence to provide a reasonable basis for our findings and\n                   conclusions based upon our audit objectives. We believe that the\n                   evidence obtained provides a reasonable basis for our findings and\n                   conclusions based upon our audit objectives.\n                   The principal OIG points of contact for the audit are Frank Deffer,\n                   Assistant Inspector General for Information Technology Audits, at\n                   (202) 254-4041 and Marj Leaming, Director, System Privacy\n                   Division, at (202) 254-4172. Major OIG contributors to the audit\n                   are identified in appendix I.\n\n                  U.S. Customs and Border Protection Privacy Stewardship\n\n                                         Page 16\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n                                                                                  1300 Ptnnsylnlli.l An,:nut NW\n                                                                                  W.lshinglon , DC 20219\n\n\n\n                                                                                  u.s. Customs ."d\n                                                                                  Border Protection\n\n\n                                                                                         March 13,20 12\n\n\n\n\n          Charles K. Edwards\n          Acting Inspector (jeneral\n          Department of Homeland Security\n          245 Murray Drive, SW, Building 410\n          Washington, DC 20528\n\n          Re : The Office of Inspector General\' s Draft Report Entitled, "United States Customs and\n               Border Protection Privacy Stewardship\xc2\xb7 For Official Use Only"\n\n          Dear Mr. Edwards:\n\n                 Thank you for the opportun ity to review and comment on the Office of Inspector\n          General\'s (OlG\'s) draft report entitled "United States Customs and Border Protection\n          Privacy Stewardship\xc2\xb7 For Official Use Only ," (project no. OIG- I I -0 16\xc2\xb7IT A-CBP).\n          U.S. Customs and Border Protection (CBP) appreciates the 01G\'s work in planning and\n          conducti ng its review and issuing this report.\n\n          While CBP \'s Office of International Trade (OT) recognizes the vast scope of the task\n          before the OIG in undertaking a full audit of all CBP, the audit does not provide a\n          complete understanding o f certain major information technology (IT) systems such as\n          TECS . Authorized CBP employees use TEeS and its various sub-systems and modules to\n          fulfill lHlmerous border security mission responsibilities. In the draft report the OIG ,\n          identi fies TEeS fo r its vast holdings of personally identifiable info rmation ( PIJ), and its\n          legacy reliance upon the employee social security number (SSN) as a user identification\n          (1 0 ); however, the aud it does not note that in over twenty years of service collecting\n          information pertai ning to all persons lawfull y, and in some cases unlawfully, crossing the\n          border, TEeS has never had a major data breach as described in the example on pages\n          three and four of the draft report .\n\n          e BP believes that the culture of privacy instilled through the mandatory req uirement that\n          each TEeS user pass the TECS Privacy Awareness Course on an ammal basis (39,30 1\n          users passed the test in FY 2011) contributes strongly to th e enviab le record TECS has\n          establ ished with respect to safeguarding its information ho ldings. Furthermore, this culture\n          of privacy from TECS permeates not only the user communities of other CBP IT systems\n          that rely upon passing the TEeS privacy course to grant system access, but also creates a\n          common bond of understanding with\n\n\n\n\n                       U.S. Customs and Border Protection Privacy Stewardship\n\n\n                                                     Page 17\n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n                                                        2\n\n\n          respect to privacy and information shari ng concepts. CBP has a strong culture of privacy\n          thai C81U10t simply be defined by the careful, deliberate, and cautious upgrade ofTECS\n          functionality.\n\n          Similarly, the Chart in Appendix F, starting on page 26. notes many PII hold ings belonging\n          to CBP, but does not adequately recognize the cO lmcctions or coverage of these holdings in\n          the privacy compliance documents pertaining to their larger IT systems. The discussion of\n          the chart in the report implies that the holdings are not covered and exist as untracked or\n          are not inventoried by CSP. Again, TEeS serves as an example in that fifleen separate\n          entries (out of the 49 listed in Appendix F) are identifiable to TEeS and covered by the\n          TEeS privacy compliance. CB P drdws anention to these representations so that the full\n          scope ofTECS compliance and risks can be known. Enclosed to this letter are CBP\'s\n          technical comments which detail CBP \'s main concerns regarding the accuracy of system\n          representations and PH holdings in Append ix f.\n\n                 The report makes three recommend,ltions for cap. A summary of cap actions\n          and corrective plans to address the recommendations is provided below:\n\n          R eco mmend a tio n ~ 1 : Establ ish an Office of Privacy with adequate resources and siaffing\n          to ensure thai CBP is able to fulfill its privacy responsibi lities.\n\n          C UP Respo nse: Concur. CBP notes that certain staffing requirements of the Homeland\n          Security Act of 2002 and the SAfE Ports Act of 2006, mandate that the staff and posi tions\n          which have ensured CBP\'s privacy compl iance si nce CBP was slood up in March 2003,\n          remain identified to the a ttorney staff currently assigned to OT.\n\n          On February 10, 2012, the Acting Commiss ioner, CBP, issued a memorandum entitled\n          " Privacy Compliance and U.S. Customs and Border Protection" to all Ass istant\n          Commiss ioners, the Chief of the Border Patrol, ChicfCounsci . and all Executive Directors\n          (see enclosed). The Acting Commissioner\'s Memorandum also di sseminates the Privacy\n          Policy and Compliance Directive and implementing Instructions issued by DHS in July\n          2011, during the pendency of the subject audit. These documents are noteworthy as they\n          both provide departmental guidance with respect to privacy compliance and the role of\n          privacy across the DHS enterprise, and clearly expand the privacy mission to include a role\n          in reviewing information sharing activities. This expansion of the ro le defined in the June\n          9,2009, memorandum from the Deputy Secretary clearly establishes the precedent for the\n          fu ll scope of the Acting Commissioner\'S Memorandum , and his charge to Cll P. CBP\n          believes that through the e nclosed memorandum by its Acting Commissioner it has\n          idenrified its Privacy Office and associated staff.\n\n          According ly, CBP respectfu ll y requests c losure of this recommendation.\n\n          Reco mm end at ion #2: Issue a directive that holds Assistant Commissioners and Directors\n          accountable for their employees\' understand ing of and compliance with privacy\n          responsibilities.\n\n\n\n\n                       U.S. Customs and Border Protection Privacy Stewardship\n\n\n                                                     Page 18\n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n                                                         3\n\n\n          C BP R es ponse: Concur. On February 10,2012, the Acting Commissioner, eBP, issued a\n          memorandum entitled " Privacy Compliance and U,s. Customs and Border Protection" to\n          all Assistant Commissioners, the Chiefoflhe Border Patrol, Chief Counsel. and all\n          Executive Directors (see enclosed). The thrust of the memorandum emphasi:\xc2\xa3ed the\n          importance of privacy compl iance throughout CB P not only in how cap collects and\n          maintains infonnation obtained from the public, but also with respect to how CBP shares\n          that infonnation with its various federal, state, local, and foreign partners in fulfillment of\n          its twin law enforcement and trade facilitation missions. CBP has enclosed to this letter a\n          copy of Acting Commissioner\'s memorandum and the Pri vacy Compliance and\n          Information Sharing process worktlows that it disseminated to affirm a consistent practice\n          and role for privacy in these two aspects of the CBP mission. The Acting Commissioner\'s\n          Memorandum also disseminates the Privacy Policy and Comp liance Directive and\n          implementing InSlnlctions issued by DHS in July 2011, duri ng the pendency of the subject\n          audit. These documents are noteworthy as they both provide departmental guidance with\n          respect to privacy com pliance and the role of privacy across the DHS en terprise, and\n          clearly expand the privacy mission to include a role in reviewing information sharing\n          activities.\n\n          Accordingly, CBP respectfully requests closure of this recommendation.\n\n          Reco mm end ation #3: Implement stronger measures to protect employee Social Security\n          numbers and minimize their use.\n\n          CDP Res ponse: Concu r. CB P concurs with this recommendation and notes that as part of\n          its multi -year TEeS Modemi zation Plan it has begun to imp lement IT solut ions to remove\n          the use of the SSN as a user ID and morc genera lly as a visible identifier for TEeS users\n          and record owners. As part of the TEeS modernization plan, a proof of concept for the\n          T EeS web a pplications was migrated to production for 30 TEeS users, within CBP, in\n          November 20 II. A fU rl her demonstration of this technology fix is planned for an\n          additional 12 TECS users across DHS components in March 2012. Lastly. with regard to\n          lOlL In cident Log (Immigration Operations). TEeS Modernization has scheduled a\n          planned implementation of functionality to remove the use of supervisor SSNs from\n          approval functions, affecting 8,000 users, by March 2013.\n\n          Co mpleti on Da te: March 31, 20 13\n\n                  With regard to the sensitivity of the draft report, CBP has nOI identified information\n          within the report requiring restricted public access. Enclosed for you r consideration arc\n          CBP\'s technica l comments.\n\n                   CBP acknowledges its continuing challenge to embed a culture o f pri vacy within\n          all of its employees. C BP also recognizes that this challenge and the safeguardi ng of its\n          vaSI information holdings are only successfull y met through a shared understanding and\n          practice of all employees, from the Commissioncr on down. Once again, than k you for the\n          opportunity to comment on the draft report.\n\n\n\n\n                       U.S. Customs and Border Protection Privacy Stewardship\n\n\n                                                     Page 19\n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n                                                     4\n\n                 We look forward to working with you on future reviews. If you have any\n          questions, please have a member of your staff comact Kathryn Dapkins, Audit Liaison,\n          Office of Internal Affai rs at (202) 344-2102.\n\n                                              Sincerely,\n\n\n\n                                                 ~\n                                              James F. Tomsheck\n                                              Assistant Commissioner\n                                              Office of Internal Affairs\n\n          Enc losures\n\n\n\n\n                        U.S. Customs and Border Protection Privacy Stewardship\n\n\n                                                 Page 20\n\n\x0cAppendix C\nLegislation, Memoranda, Directives, and Guidance\nRelated to CBP Privacy Stewardship Audit\n\n                                                   LEGISLATION\n\nPrivacy Act of 1974, as amended, 5 U.S.C. \xc2\xa7 552a.\nhttp://www.gpo.gov/fdsys/pkg/USCODE-2010-title5/pdf/USCODE-2010-title5-partI-chap5-subchapII-sec552a.pdf\n\nE-Government Act of 2002, Public Law 107-347, 116 Stat. 2899.\nhttp://www.gpo.gov/fdsys/pkg/PLAW-107publ347/pdf/PLAW-107publ347.pdf\n\nFederal Information Security Management Act of 2002, 44 U.S.C. \xc2\xa7 3541, et seq.\nhttp://csrc.nist.gov/drivers/documents/FISMA-final.pdf\n\nImplementing Recommendations of the 9/11 Commission Act of 2007, Public Law 110-53, 121 Stat. 266, 360.\nhttp://www.nctc.gov/docs/ir-of-the-9-11-comm-act-of-2007.pdf\n\nThe Security and Accountability For Every Port Act of 2006, Public Law 109-347, 120 Stat. 1884, 1924.\nhttp://www.gpo.gov/fdsys/pkg/PLAW-109publ347/pdf/PLAW-109publ347.pdf\n\nHomeland Security Act of 2002, as amended, Public Law 107-296, 116 Stat. 2135, 2179 (2002).\nhttp://www.gpo.gov/fdsys/pkg/PLAW-107publ296/pdf/PLAW-107publ296.pdf\n\n                                                OMB MEMORANDA\n\nOMB M-07-16: Safeguarding Against and Responding to the Breach of Personally Identifiable Information (May 22,\n2007). http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf\n\n                                           DIRECTIVES AND GUIDANCE\n\nDHS Memorandum: Designation of Component Privacy Officers (June 5, 2009). (No External Link Available)\n\nDHS Management Directive Number 0470.2: Privacy Act Compliance (October 6, 2005).\nhttp://www.dhs.gov/xlibrary/assets/foia/mgmt-directive-0470-2-privacy-act-compliance.pdf\n\nPrivacy Policy Guidance Memorandum Number 2008-01: The Fair Information Practice Principles: Framework for\nPrivacy Policy at the Department of Homeland Security (December 29, 2008).\nhttp://www.dhs.gov/xlibrary/assets/privacy/privacy_policyguide_2008-01.pdf\n\nPrivacy Policy Guidance Memorandum Number 2008-02: DHS Policy Regarding Privacy Impact Assessments\n(December 30, 2008). http://www.dhs.gov/xlibrary/assets/privacy/privacy_policyguide_2008-02.pdf\n\nPrivacy Policy Guidance Memorandum Number 2007-01: DHS Privacy Policy Regarding Collection, Use, Retention,\nand Dissemination of Information on Non-U.S. Persons (January 7, 2009).\nhttp://www.dhs.gov/xlibrary/assets/privacy/privacy_policyguide_2007-1.pdf\n\nPrivacy Policy Guidance Memorandum Number 2007-02: Use of Social Security Numbers at the Department of\nHomeland Security (June 4, 2007). http://www.dhs.gov/xlibrary/assets/privacy/privacy_policyguide_2007-2.pdf\n\nDHS Privacy Office: Handbook for Safeguarding Sensitive Personally Identifiable Information at the Department of\nHomeland Security (October 6, 2011). http://www.dhs.gov/xlibrary/assets/privacy/privacy_guide_spii_handbook.pdf\n\nDHS Privacy Office: Privacy Incident Handling Guidance (September 10, 2007).\nhttp://www.dhs.gov/xlibrary/assets/privacy/privacy_guide_pihg.pdf\n\nDHS Privacy Office: Privacy Technology Implementation Guide (August 16, 2007).\nhttp://www.dhs.gov/xlibrary/assets/privacy/privacy_guide_ptig.pdf\n\nDHS Privacy Office: Privacy Impact Assessments: The Privacy Office Official Guidance (June 2010).\nhttp://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_guidance_june2010.pdf\n\nDHS Privacy Office: System of Records Notices Official Guidance (April 2008).\nhttp://www.dhs.gov/xlibrary/assets/privacy/privacy_guidance_sorn.pdf\n\nOffice of Personnel Management Memorandum: Guidance on Protecting Federal Employee Social Security Numbers\nand Combating Identity Theft (June 18, 2007).\nhttp://www.cio.gov/Documents/Guidance_on_Protecting_Fed_Emp_SSNs.pdf\n\n\n\n                            U.S. Customs and Border Protection Privacy Stewardship\n\n                                                      Page 21\n\x0cAppendix C\nLegislation, Memoranda, Directives, and Guidance\nRelated to CBP Privacy Stewardship Audit\n                                               CBP DOCUMENTS\n\nMemorandum from the Acting Commissioner, U.S. Customs and Border Protection, to Deputy Secretary,\n\nDepartment of Homeland Security (July 28, 2009). (No External Link Available)\n\n\nCBP Records Disposition Schedule (2001). (No External Link Available)\n\n\nOffice of Information Technology: Information Systems Security Policies and Procedures Handbook Version 2.0,\n\nHB1400-05D (July 27, 2009). (No External Link Available)\n\n\n\n\n                           U.S. Customs and Border Protection Privacy Stewardship\n\n                                                     Page 22\n\x0cAppendix D\nComponent-Level Privacy Officer Designation and Duties\n\n                    COMPONENTS TO DESIGNATE PRIVACY OFFICERS\n\n                U.S. Customs and Border Protection\n                Federal Emergency Management Agency\n                National Protection and Programs Directorate\n                Office of Intelligence and Analysis\n                Science and Technology Directorate\n                Transportation Security Administration\n                U.S. Citizenship and Immigration Services\n                U.S. Coast Guard\n                U.S. Immigration and Customs Enforcement\n                U.S. Secret Service\n\n                          COMPONENT PRIVACY OFFICER DUTIES\n\n        Communicate the component privacy initiatives, both internally and externally.\n\n        Monitor component\'s compliance with all Federal privacy laws and regulations;\n        implement corrective, remedial, and preventative actions; and notify the DHS\n        Privacy Office of privacy issues or noncompliance when necessary.\n\n        Provide privacy information to the DHS Privacy Office for the quarterly Federal\n        Information Security Management Act reporting, Section 803 of the Implementing\n        Recommendations of the 9/11 Commission Act reporting, the DHS Privacy Office\n        Annual Report, and other reporting requirements, as needed.\n\n        Serve as the point of contact to handle privacy incident response responsibilities\n        as defined in the Privacy Incident Handling Guidance.\n\n        Assist program managers and system of records owners in drafting and reviewing\n        Privacy Threshold Assessments, Privacy Impact Assessments, and System of\n        Records Notices, as well as any associated privacy compliance documentation.\n\n        Implement and monitor privacy training for employees and contractors.\n\n\nSource: DHS Memorandum, Designation of Component Privacy Officers, June 5, 2009.\n\n\n\n\n                       U.S. Customs and Border Protection Privacy Stewardship\n\n                                              Page 23\n\x0cAppendix E\nCBP Culture of Privacy Survey\n\nWe developed a privacy questionnaire with involvement of the CBP Privacy Officer. In\nMay 2011, we e-mailed CBP employees a hyperlink to a secure site to complete an online\nculture of privacy survey. Survey participation was voluntary, confidential, and\naccessible only by OIG.\n\nThe purposes of the survey were to obtain employees\xe2\x80\x99 responses to three questions\nregarding privacy risks, integrating privacy in daily operations, and challenges in CBP\nprivacy stewardship, as well as to assess their privacy knowledge based on the criteria in\nappendix C.\n\nA total of 7,727 respondents completed the CBP Culture of Privacy Survey. The\ncompleted survey response rate was 13.1 percent (7,727 of 58,844). The following figure\nprovides the levels of job responsibility, locations, and lengths of service of respondents\nwho completed the survey.\n\n                                        DEMOGRAPHICS\n                               (n = 7,727 Survey Respondents)\n                                  Level of Job Responsibility\n                                 Entry-level Employees (16.6%)\n                     Mid- to High-level (Non-manager) Employees (60.2%)\n                            Supervisors/First-Line Managers (18.9%)\n                               Executive/Senior Managers (4.3%)\n                                            Location\n               Office of the Commissioner and Mission Support Offices (19.2%)\n                               Office of Field Operations (48.6%)\n                                 Office of Border Patrol (29.5%)\n                                 Office of Air and Marine (2.7%)\n                                        Length of Service\n                                   Less than 3 months (0.8%)\n                                       3\xe2\x80\x9312 months (4.2%)\n                                        1\xe2\x80\x933 years (16.6%)\n                                   More than 3 years (78.4%)\nFigure 7. Demographics of Survey Respondents\n\nWe received a total of 7,229 individual comments and suggestions for improvements\nfrom the survey respondents. We categorized these comments by six subjects: Culture\nof Privacy, Privacy Stewardship, Data Governance, Administrative Safeguards, Technical\nSafeguards, and Physical Safeguards. The percentages of recommended improvements in\neach of the six categories are indicated in the pie chart, illustrated in figure 8.\n\n\n\n\n                      U.S. Customs and Border Protection Privacy Stewardship\n\n                                             Page 24\n\x0cAppendix E\nCBP Culture of Privacy Survey\n\n\n\n\nFigure 8. Areas for CBP Culture of Privacy Improvement\n\nComments on Culture of Privacy, 1,794 (25%), recommended improvements by\nexecutive managers, program operations managers, and employees in understanding and\napplying their privacy responsibilities, such as the following:\n\n   \xe2\x80\xa2\t A shared strategic vision on privacy matters throughout the organization (657);\n   \xe2\x80\xa2\t Advancement of employee privacy protections, such as discontinuing the use of\n      Social Security numbers (579); and\n   \xe2\x80\xa2\t Mitigation of job-specific risks unique to employee work environments (558).\n\nComments on Privacy Stewardship, 1,496 (21%), identified the need for CBP to\nadvance privacy as an operational priority. Respondents recommended improvements,\nsuch as the following:\n\n   \xe2\x80\xa2\t Managerial and supervisory roles in encouraging the advancement of privacy\n      through their example and ensuring uniform accountability (798);\n   \xe2\x80\xa2\t Accessibility of consistent privacy guidance and policies with defined privacy\n      goals and guidelines to achieve them (437);\n   \xe2\x80\xa2\t Privacy protections on the job through the use of reminders (230); and\n   \xe2\x80\xa2\t CBP Privacy Officer\xe2\x80\x99s role in privacy (31).\n\nComments on Data Governance, 1,032 (14%), involved the consistent and proper\nmanagement of data during collection, use, storage, and disposition. Respondents\nrecommended improvements, such as the following:\n\n                      U.S. Customs and Border Protection Privacy Stewardship\n\n                                             Page 25\n\x0cAppendix E\nCBP Culture of Privacy Survey\n\n\n   \xe2\x80\xa2\t Records management guidance on retention and disposition of PII (375);\n   \xe2\x80\xa2\t Guidance explicitly limiting distribution of public and employee PII to individuals\n      with a need-to-know disclosure (257);\n   \xe2\x80\xa2\t Data quality and integrity (239); and\n   \xe2\x80\xa2\t Guidance and practices regarding whether information should be shared (161).\n\nComments on Administrative, Physical, and Technical Safeguards, 2,907 (40%), are\ndiscussed in a separate section of the report. Of all safeguards recommended, 743 (25%)\ncomments focused on improving privacy training, such as the following:\n\n   \xe2\x80\xa2\t Increased frequency (346);\n   \xe2\x80\xa2\t Expanded delivery options (232);\n   \xe2\x80\xa2\t Incorporated privacy applications, using on-the-job and real-world examples that\n      relate to the different programs and operations at CBP (85);\n   \xe2\x80\xa2\t Added specialized privacy training for particular groups, such as new employees,\n      supervisors, and executive managers (49); and\n   \xe2\x80\xa2\t Simplified presentations and concepts for easier application to daily operations\n      (31).\n\n\n\n\n                     U.S. Customs and Border Protection Privacy Stewardship\n\n                                            Page 26\n\x0cAppendix F\nCBP Privacy Compliance Status\n\nOMB M-07-16 requires agencies to review their holdings of all PII and ensure that they\nare accurate, relevant, timely, and complete. DHS privacy policy guidance requires a\nprivacy threshold analysis to be conducted every three years when significantly\nchanging existing systems, or when proposing new systems. The E-Government Act of\n2002 requires a privacy impact assessment to be conducted for all new or substantially\nchanged information systems that collect, maintain, or disseminate PII to ensure that\nprivacy protections are incorporated during the development and operation of systems\nand programs that affect PII. The Privacy Act of 1974 requires a system of record\nnotice to inform the public about what PII is being collected, why it is being collected,\nhow long it is being retained, and how it will be used, shared, accessed, and corrected.\nThe status of privacy compliance documentation could affect how CBP should address\nprivacy or trigger further review concerning the need to update privacy threshold\nanalysis, privacy impact assessments, or system of record notices on the underlying\nsystems.\n\nFigure 9 provides the privacy compliance status for 95 systems. The figure shows the\ndate of documentation for 47 systems or programs that the CBP Privacy Officer identified\nas his inventory of PII as of July 2011. Of the 47 systems or programs, 16 do not require\na privacy impact assessment and three do not require a system of records notice. In\naddition, we compared several sources, including CBP\xe2\x80\x99s information reported in Trusted\nAgent\xe2\x80\x99s inventory, CBP/Information Technology Intranet website, DHS Privacy Office\xe2\x80\x99s\npublic website, and interviews with CBP personnel, and identified 48 potential systems or\nprograms during the course of the audit. The legend for our determinations is:\n\n   Completed        Privacy threshold analysis, privacy impact assessment, or system of records notice on file\n                    DHS Privacy Office/CBP agree that privacy impact assessment and/or system of records notice\n     Need\n                    are/is required\n     None           Privacy threshold analysis was unavailable; CBP needs to make a determination\n                    Either a system of records notice or privacy impact assessment does not apply to information\n Not Applicable\n                    technology systems in CBP\xe2\x80\x99s inventory\n                    May be part of, but not fully addressed by, CBP\xe2\x80\x99s published privacy impact assessments or\n     Other\n                    system of records notices\n                    May affect privacy, but does not have a privacy threshold analysis. Therefore, we cannot\n Undetermined\n                    determine whether the system requires a privacy impact assessment or system of records notice\n  Out of Date       Privacy threshold analysis has expired date\n\n\n\n                                      Types of Personally          Privacy\n                                                                                    Privacy Impact       System Of\n             Name                         Identifiable            Threshold\n                                                                                     Assessment        Records Notice\n                                         Information               Analysis\n\n Automated Commercial Environment (ACE)/Automated Commercial System (ACS) and Associated Applications\n\nAutomated Commercial                Broker, Cargo, Carrier,        Completed           Completed          Completed\nEnvironment (ACE)                   Importer                      Jun 15, 2006        Jul 14, 2006       Jan 19, 2006\n\n\nAutomated Commercial System         Broker, Cargo, Carrier,       Completed           Completed           Completed\n(ACS)                               Importer                      Nov 9, 2007         Dec 2, 2008        Dec 19, 2008\n\n\n\n\n                            U.S. Customs and Border Protection Privacy Stewardship\n\n\n                                                       Page 27\n\n\x0cAppendix F\nCBP Privacy Compliance Status\n\n                                    Types of Personally           Privacy\n                                                                               Privacy Impact     System Of\n               Name                     Identifiable             Threshold\n                                                                                Assessment      Records Notice\n                                       Information                Analysis\n\nAutomated Export System            Broker, Cargo, Carrier,      Completed\n                                                                                   Need              Need\n(AES)                              Importer                     Nov 9, 2007\n\nSecure Freight Initiative\nInternational Container Security   Cargo                           None            Other            Other\n(SFI/ICS)2\n                           Automated Targeting System (ATS) and Associated Modules\n\nAutomated Targeting System         Traveler, Conveyance,         Completed      Completed         Completed\n(ATS)                              Cargo                        Mar 28, 2008    Dec 2, 2008       Aug 6, 2007\n\nAutomated Targeting System         Traveler, Conveyance,\n                                                                   None            Other            Other\nInbound (ATS-N)2                   Cargo\n\nAutomated Targeting System\n                                   Traveler, Conveyance,\nIntelligence and Operations                                     Undetermined   Undetermined      Undetermined\n                                   Cargo\nFramework System (IOFS)\n\nAutomated Targeting System         Traveler, Conveyance,\n                                                                   None            Other            Other\nLand (ATS-L)2                      Cargo\n\nAutomated Targeting System         Traveler, Conveyance,\n                                                                   None            Other            Other\nOutbound (ATS-AT)2                 Cargo\n\nAutomated Targeting System\n                                   Traveler, Conveyance            None            Other            Other\nPassenger (ATS-P)2\n\nAutomated Targeting System\n                                   Traveler, Conveyance,\nTAP (Trend Analysis and                                            None            Other            Other\n                                   Cargo\nAnalytical Selectivity Program)2\n\nE3: Next Generation of                                           Completed                        Completed\n                                   Traveler                                        Need\nENFORCE                                                         Oct 26, 2007                     Mar 20, 2006\n\n         Global Enrollment System / Western Hemisphere Travel Initiative and Associated Applications\n\nGlobal Enrollment System                                         Completed       Completed        Completed\n                                   Traveler, Passenger\n(GES)                                                           Jul 27, 2006    Apr 20, 2006     Apr 21, 2006\n\n                                                                 Completed       Completed        Completed\nGlobal Entry                       Traveler, Passenger\n                                                                Jul 14, 2006    Apr 20, 2006     Apr 21, 2006\n\nGlobal Online Enrollment\n                                   Traveler, Passenger             None            Other            Other\nSystem (GOES)2\n\nWestern Hemisphere Travel                                        Completed       Completed        Completed\n                                   Traveler\nInitiative (WHTI)                                               Apr 18, 2007    Mar 24, 2008     Dec 19, 2008\n\nDecal and Transponder Online                                     Completed                        Completed\n                                   Conveyance                                      Need\nProcurement System (DTOPS)                                      Oct 14, 2009                     Apr 21, 2006\n\n\nFree and Secure Trade (FAST)1, 2 Cargo                             None            Other            Other\n\n\nCustoms-Trade Partnership          Broker, Cargo, Carrier,       Completed\n                                                                                   Need              Need\nAgainst Terrorism (CTPAT)          Importer                     Oct 22, 2009\n\n                           TECS and Associated Functions or Resides on TECS Platform\n\n\n\n                           U.S. Customs and Border Protection Privacy Stewardship\n\n\n                                                     Page 28\n\n\x0cAppendix F\nCBP Privacy Compliance Status\n\n                                   Types of Personally           Privacy\n                                                                              Privacy Impact     System Of\n               Name                    Identifiable             Threshold\n                                                                               Assessment      Records Notice\n                                      Information                Analysis\n\n                                                                Completed       Completed        Completed\nTECS                              Traveler, Employee\n                                                                Jan 2, 2008    Dec 22, 2010     Dec 19, 2008\n\n                                                                Completed       Completed        Completed\nTECS Modernization                Traveler, Employee\n                                                                Oct 4, 2007    Dec 22, 2010     Dec 19, 2008\n\nAdvanced Passenger\n                                  Passenger, Crew                 None            Other            Other\nInformation System (APIS)2\n\nAdvanced Passenger\nInformation System (APIS)         Passenger, Crew                 None            Other            Other\nPre-Departure2\n\nElectronic Advanced Passenger\n                                  Passenger, Crew                 None            Other            Other\nInformation System (eAPIS)2\n\nIntegrated Advanced Passenger\n                                  Passenger, Crew                 None            Other            Other\nInformation System (IAPIS)2\n\nBorder Security Deployment        Employee, Contractor,         Completed                        Completed\n                                                                                  Need\n(BSD)                             Traveler                      Apr 7, 2010                     Dec 19, 2008\n\n\nCBP Vetting2                      Traveler                        None            Other            Other\n\n\nDataShare Project Immigrant\n                                  Traveler                        None            Other            Other\nand Non-immigrant Visas2\n\n                                                               Completed        Completed        Completed\nLicense Plate Reader (LPR)1       Traveler\n                                                               Sep 8, 2009      Jan 2, 2008     Dec 19, 2009\n\n\nNIDPS External Interfaces1        Traveler, Passenger          Undetermined   Undetermined      Undetermined\n\n\nOutlying Area Reporting Station\n                                  Traveler                     Undetermined   Undetermined      Undetermined\n(OARS)\n\nPedestrian Primary\n                                  Traveler, Employee              None            Other            Other\nProcessing1, 2\n\nPleasure Boat Reporting\n                                  Traveler, Conveyance            None            Other            Other\nSystem (PBRS)2\n\nPortable Automated Lookout\n                                  Traveler                        None            Other            Other\nSystem (PALS)1, 2\n\nPrimary Lookout Override\n                                  Traveler, Passenger             None            Other            Other\n(PLOR)1, 2\n\nRegional Movement Alert\n                                  Passenger, Crew              Undetermined   Undetermined      Undetermined\nSystem (RMAS)\n\n\nRegulatory Audit Management                                    Completed                         Completed\n                                  Broker                                      Not Applicable\nInformation System (RAMIS)                                     Aug 4, 2008                      Dec 19, 2008\n\n\n\n\n                           U.S. Customs and Border Protection Privacy Stewardship\n\n\n                                                    Page 29\n\n\x0cAppendix F\nCBP Privacy Compliance Status\n\n                                     Types of Personally           Privacy\n                                                                                Privacy Impact     System Of\n              Name                       Identifiable             Threshold\n                                                                                 Assessment      Records Notice\n                                        Information                Analysis\n\nTECS \xe2\x80\x93 TECS Case                    General public involved\n                                                                    None            Other            Other\nManagement1, 2                      in specific cases\n\nTECS \xe2\x80\x93 Inspection Operations \xe2\x80\x93\n                                    Traveler, Passenger             None            Other            Other\nSecondary Processing1, 2\n\n\nTECS \xe2\x80\x93 TECS/NIIS1, 2                Traveler, Passenger             None            Other            Other\n\n\nTECS \xe2\x80\x93 TECS Reporting1, 2           Traveler, Employee              None            Other            Other\n\n\nTraveler Primary Arrival Client                                   Completed\n                                    Passenger, Crew                                 Other            Other\n(TPAC)1, 2                                                       Feb 24, 2010\n\n\nVehicle Primary Processing1, 2      Traveler, Employee              None            Other            Other\n\nData sets or feeds supplied by other Government agencies for use by CBP, covered by CBP information sharing\naccess agreement, and reside within the boundary of a CBP system\n\nCurrency or Monetary\n                                    Traveler                        None            Other            Other\nInstruments Report (CMIR)2\n\nCustoms Automated\n                                                                  Completed                        Completed\nMaintenance Inventory Tracking      Employee, Contractor                        Not Applicable\n                                                                 Jan 30, 2009                     Dec 29, 2006\nSystem (CAMITS)\n\nInterstate Identification Index\n                                    Traveler                        None            Other            Other\n(III)2\n\nNational Crime Information\n                                    Traveler, Passenger             None            Other            Other\nCenter (NCIC)2\n\nNational Law Enforcement\nTelecommunications System           Traveler, Passenger          Undetermined   Undetermined      Undetermined\n(NLETS)\n\nPrivate Aircraft Enforcement\n                                    Passenger                       None            Other            Other\nSystem (PAES)1, 2\n\n\nSecurity Filing2                    Broker, Cargo, Importer         None            Other            Other\n\n\nU.S. Passport Load from\n                                    Traveler, Passenger             None            Other            Other\nDepartment of State2\n\nUNCATEGORIZED: May be subsystem or module that is a major subdivision or component of an information\nsystem; tools, application software, or specialized functionality to the hosted information system; or,\ninfrastructure, data set or feed, interface, or service within the boundary of a system. These systems may\ninclude administrative, human resources, or financial systems.\n\n10-Print Pilot Initiative1          Passenger, Crew              Undetermined   Undetermined      Undetermined\n\n\nActive Directory/Exchange                                         Completed       Completed        Completed\n                                    Employee, Contractor\n(ADEX)                                                           Feb 24, 2010    Jan 14, 2009     Sep 29, 2009\n\n\n\n\n                             U.S. Customs and Border Protection Privacy Stewardship\n\n\n                                                      Page 30\n\n\x0cAppendix F\nCBP Privacy Compliance Status\n\n                                   Types of Personally           Privacy\n                                                                              Privacy Impact     System Of\n            Name                       Identifiable             Threshold\n                                                                               Assessment      Records Notice\n                                      Information                Analysis\n\nAir and Marine Operations                                       Completed\n                                  Traveler, Cargo                                 Need          Not Applicable\nSurveillance System (AMOSS)                                    Jul 28, 2009\n\nAnalytical Framework for          Traveler, Broker, Cargo,      Completed\n                                                                                  Need              Need\nIntelligence (AFI)                Carrier, Importer             Jan 9, 2009\n\nAudit and Review Tracking\n                                  Employee                     Undetermined   Undetermined      Undetermined\nSystem (ARTS)1\n\nBlackberry Enterprise Server\n                                                                Completed       Completed        Completed\nand Wireless Handheld Devices     Employee, Contractor\n                                                               Aug 10, 2009    Jan 14, 2009     May 15, 2008\n(BES WHD)\n\nBorder Patrol Enforcement         Employee, Contractor,         Completed                        Completed\n                                                                                  Need\nTracking System (BPETS)           Traveler                     Jul 28, 2006                     Dec 19, 2008\n\nBorder Patrol Enforcement         Employee, Contractor,         Completed                        Completed\n                                                                                  Need\nTracking System 2 (BPETS 2)       Traveler                     Jan 29, 2009                     Mar 20, 2006\n\nCargo Enforcement Reporting       Broker, Cargo, Carrier,\n                                                               Undetermined   Undetermined      Undetermined\nand Tracking System (CERTS)1      Importer\n\nComputerized Aircraft\n                                                                Completed\nReporting Materiel Control        Employee, Contractor                        Not Applicable        Need\n                                                               Mar 24, 2010\n(CARMAC)\n\nCBP Application Integration                                     Completed                        Completed\n                                  Employee, Contractor                        Not Applicable\nProject (CAIP)                                                 Jan 21, 2009                     May 15, 2008\n\nCBP Automated\nPre-Employment System             Employee                     Undetermined   Undetermined      Undetermined\n(CAPES)1\n\nCBP Automated Travel System\n                                  Employee                     Undetermined   Undetermined      Undetermined\n(CATS)\n\nCBP Complaint Management\n                                  Traveler                     Undetermined   Undetermined      Undetermined\nSystem (CMS)\n\nCBP Overtime Schedule System\n                                  Employee                     Undetermined   Undetermined      Undetermined\n(COSS)\n\n\nCEAR1                             Employee, Contractor         Undetermined   Undetermined      Undetermined\n\n\nCombined Automated                                              Completed                        Completed\n                                  Employee, Contractor                        Not Applicable\nOperations System (CAOS)                                       Oct 23, 2006                     Oct 28, 2008\n\nDedicated Commuter Lane\n                                  Traveler                     Undetermined   Undetermined      Undetermined\n(DCL)1\n\nEnterprise Data Warehouse         Employee, Contractor,         Completed\n                                                                                  Need              Need\n(EDW)                             Traveler, Cargo              Jan 23, 2007\n\n\nEnterprise Geospatial                                          Completed                         Completed\n                                  Traveler                                    Not Applicable\nInformation Services (eGIS)                                    Nov 1, 2007                      May 15, 2008\n\n\n\n\n                           U.S. Customs and Border Protection Privacy Stewardship\n\n\n                                                    Page 31\n\n\x0cAppendix F\nCBP Privacy Compliance Status\n\n                                   Types of Personally           Privacy\n                                                                              Privacy Impact     System Of\n             Name                      Identifiable             Threshold\n                                                                               Assessment      Records Notice\n                                      Information                Analysis\n\n                                                               Completed\nEnterprise Service Bus (ESB)      Employee, Contractor                            Need              Need\n                                                               Aug 5, 2008\n\nEnterprise Management\nInformation System \xe2\x80\x93\xc2\xad             Employee, Contractor,         Completed\n                                                                                  Need              Need\nEnterprise Data Warehouse         Traveler, Cargo              Mar 24, 2010\n(EMIS EDW)\n\nElectronic System for Travel                                    Completed       Completed        Completed\n                                  Traveler\nAuthorization (ESTA)                                           Nov 10, 2010    Jul 18, 2011     Jun 10, 2008\n\nFirearms, Armor, and\n                                                                Completed                        Completed\nCredentials Tracking System       Employee                                    Not Applicable\n                                                                Apr 3, 2008                     Oct 23, 2008\n(FACTS)\nI-94 Form, Non-Immigrant\nInformation Data Processing       Traveler, Passenger             None            Other             Other\nSystem (NIDPS) formerly NIIS2\n\nI-94 Secondary Processing\n                                  Traveler, Passenger             None            Other             Other\nProject2\n\nIntellectual Property Rights\n                                  General public               Undetermined   Undetermined      Undetermined\nSearch (IPRS)1\n\nIntelligent Computer Assisted                                  Completed\n                                  Traveler, Passenger                             Need              Need\nDetection (ICAD)                                               Dec 2, 2009\n\nJoint Integrity Case                                           Completed                         Completed\n                                  Employee, Contractor                            Need\nManagement System (JICMS)                                      Feb 1, 2010                      Nov 14, 2008\n\nNational Finance Center Field                                   Completed                        Completed\n                                  Employee, Contractor                        Not Applicable\nLAN System                                                      Jan 7, 2009                     Oct 23, 2008\n\nNational Data Center\n                                                                Completed                        Completed\nAdministrative Applications       Employee, Contractor                        Not Applicable\n                                                               Oct 23, 2006                      Mar 5, 2007\n(NDC Administrative Apps)\nNational Data Center Financial\n                                                                Completed                        Completed\nApplications (NDC Financial       Employee                                    Not Applicable\n                                                               Jan 23, 2009                     Oct 23, 2008\nApps)\n\nNational Data Center Mainframe                                  Completed                        Completed\n                                  Employee                                    Not Applicable\nInfrastructure System                                          Apr 21, 2008                     May 15, 2008\n\nNon-Intrusive Inspection (NII)                                 Completed\n                                  Cargo, Carrier                                  Need          Not Applicable\nSystems Program                                                Sep 5, 2007\n\nNational Targeting Center LAN                                  Completed                         Completed\n                                  Employee, Contractor                        Not Applicable\nSystem (NTC LAN)                                               Dec 7, 2006                      Dec 29, 2006\n\n                                                                Completed                        Completed\nOpSTAR                            Employee, Contractor                        Not Applicable\n                                                                Oct 3, 2008                     May 15, 2008\n\nQuality and Uniformity\n                                  Broker, Cargo, Carrier,\nInformation Control System                                     Undetermined   Undetermined      Undetermined\n                                  Importer\n(QUICS)\n\nRemedy Incident Reporting                                       Completed                        Completed\n                                  Employee, Contractor                        Not Applicable\n(Remedy)                                                       Jan 29, 2009                     Sep 29, 2009\n\n\n\n\n                           U.S. Customs and Border Protection Privacy Stewardship\n\n\n                                                    Page 32\n\n\x0cAppendix F\nCBP Privacy Compliance Status\n\n                                      Types of Personally        Privacy\n                                                                               Privacy Impact     System Of\n                 Name                     Identifiable          Threshold\n                                                                                Assessment      Records Notice\n                                         Information             Analysis\n\n    Systems, Applications, and                                   Completed                        Completed\n                                     Employee, Contractor                      Not Applicable\n    Products (SAP)                                              Mar 19, 2009                     Dec 29, 2006\n\n    Secure Border Initiative-net                                Completed        Completed\n                                     Biometrics                                                  Not Applicable\n    (SBInet)                                                    Dec 2, 2009     Jul 20, 2007\n\n                                                                 Completed\n    SBInet Northern Border           Biometrics                                    Need              Need\n                                                                 Jul 6, 2011\n\n                                                                 Completed\n    SBInet Southern Border           Biometrics                                    Need              Need\n                                                                 Jul 6, 2011\n\n    Seized Asset and Case Tracking Broker, Cargo, Carrier,      Completed                         Completed\n                                                                                   Need\n    System (SEACATS)               Importer                     Nov 5, 2007                      Dec 19, 2008\n\n                                                                Completed                         Completed\n    Virtual Learning Center (VLC)    Employee, Contractor                      Not Applicable\n                                                                Sep 8, 2009                       May 8, 2006\n\nFigure 9. CBP Privacy Compliance Status\n\n1\n Listed on CBP Intranet, Office of Information Technology/program office pages, but not in Trusted Agent.\n2\n Some privacy risks may be mitigated by information technology controls as described by pertinent system\nsecurity plans or other information technology documentation.\n\n\n\n\n                              U.S. Customs and Border Protection Privacy Stewardship\n\n                                                      Page 33\n\x0cAppendix G\nInconsistencies Between Records Retention Schedules Published in System of\nRecords Notices and Internal Guidance\n\nAccording to the Privacy Act, information in the published system of records notices\nmust accurately describe how Government employees handle the public\xe2\x80\x99s PII. We\nreviewed 26 different types of records described in CBP\xe2\x80\x99s system of records notices for\n34 systems. Figure 10 lists the 26 types of records that are described in the system of\nrecords notices.\n\n                                             Types of Records\n                                                             Arrival-Departure Record for Nonimmigrant\n    Aircraft Manifest\n                                                             Visitors with a Visa for the U.S.\n    Land Vehicle Manifest                                    Trusted Traveler Program Information\n    Sea Vessel Manifest                                      Travel Document Information\n                                                             Foreign National Arrival-Departure Information\n    Postal Declaration\n                                                             in Electronic and Paper Format\n    Carrier, Broker, Importer/Exporter Account\n                                                             Records Related to a Law Enforcement Action\n    Information\n    Importer Security Filing                                 Regulatory Audit Files\n                                                             Law Enforcement Records, including Expired\n    Shipper\xe2\x80\x99s Information\n                                                             Statutes of Limitation\n    Passenger Name Record                                    Carrier Records\n    Border Crossing Information of U.S. Citizens\n                                                             Broker Files\n    and Lawful Permanent Residents\n    Border Crossing Information of Nonimmigrant\n                                                             Cartmen and Lightermen Files\n    Visitors\n    Recordings with Security Incidents                       Warehouse Proprietor Records\n    Recordings with Actions Taken by CBP                     Driver Records\n    Foreign National Information via Visa Waiver             Information on Proprietor Bonded Warehouse\n    Program                                                  Operators and Employees\nFigure 10. Types of Records Described in CBP\xe2\x80\x99s Published System of Records Notices\n\nRecords retention and disposal schedules are documents that identify an organization\xe2\x80\x99s\nrecords and provide instructions on how long to retain or maintain records and when to\ndispose of records. We compared the published schedules in the system of records\nnotices with CBP\xe2\x80\x99s internal guidance. Using guidance issued internally by CBP,\nemployees are not retaining PII for the same periods of time as published for the public in\nthe system of records notices. Figure 11 indicates the number of records identified in the\nsystem of records notices by type of inconsistency.\n\n                                                                      # Inaccurate Records\n                    Type of Inconsistency                                  Scheduled\n                                                                                                Percentage\n\n Records disposed of before the time published in the system of\n                                                                                 7                 26.9%\n records notices\n Records held longer than the time published in the system of\n                                                                                13                 50.0%\n records notices\n Retention and disposal of records not addressed by internal\n                                                                                 6                 23.1%\n guidance\n Total # record schedules described in the system of                            26                 100%\n records notices\n\nFigure 11. Inconsistencies in CBP\xe2\x80\x99s Personally Identifiable Information Records Retention and\nDisposal Schedules\n\n                            U.S. Customs and Border Protection Privacy Stewardship\n\n                                                   Page 34\n\x0cAppendix H\nDHS Fair Information Practice Principles at Work\n\n\n                                                                           ThE Prh\'tK y Offr.z\n\n                 Homeland                                                  u .s. Ikparlmenl of lIomdand Secunly\n                                                                           Wnhingloll , DC 20.H8\n\n                 Security\n\n                          The Fair Information Practice Pr inciples at Work\n\n DHS issued Privacy Policy Guidance Memorandum 2008-01 on December 29, 200S memorializing the Fair Information\n Practice Principles (FIPPs) 05 the foundational principles Jar privacy policy and implementation at OHS. The eight FIPPs\n form the basis of the Deportment\'s privacy compliance policies and procedures governing the use of personally\n identifiable information (PII). The FIPPs ore embedded into DH5 privacy sensitive systems, programs, and information\n shoring arrangements and are derived from the Privacy Act and other federal and international privacy guidelines. This\n document provides some typical examples of how the DHS Privacy Office oversees implementation of the FIPPs in the\n Department.\n\n Tra nsp are ncy\n DHS employs several means to provide transparency to the public of its activities and DHS privacy protections. DHS\n provides public notice of the collection, use, dissemination, and maintenance of PII through various mechanisms\n including: direct notice (commonly referred to as a Privacy Act e (3) statement) on forms used to collect information\n from individuals,; signage at U.S. ports of entry; and publication of privacy compliance documentation such as Privacy\n Impa ct Assessments (PlAs) OInd System of Reco rds Notices (SORNs). More broOldly, DHS implements transparency by\n making its PIAs, SORNs, guidOlnce, and other reports, includ ing congressiona lly\xc2\xb7 mandated reports, avai lOlble on the DHS\n Privacy Office website located OIt http://www.dhs.gov/ privacy. In some instances, la w enforceme nt or nOltional security\n concerns prevent public disclosure of specific details of systems and programs. In these defined cases, DHS notifies the\n public of the exemptions for relevant systems. Even for these exempted systems, however, DHS reviews access requests\n on a case-by-case basis.\n\n Individual PartIcipation\n DHS and its components have va ried missions, including benefits administration, grants adm inistration, border\n management, transpo rtation security, cyber security, law enforcement, and nationa l security. When programs carr ied\n out in pursuit of these missions require the collection of PII, OHS seeks to co llect PI! directly from individ uals. If OIn\n individual believes a benefit was denied o r som e type of Depa r tmental action (e.g., a referra l to secondary screening)\n was taken as a result of an error in his information, that individual may, regardless of citizenship, seek access to, and , as\n appropriate, correct his information through t he Freedom of Information Act (FO IA)/Privacy Act process. furthermore,\n DHS developed the DHS Traveler Redress Inquiry Program (DHS TRIP) to be a single point of contact to handle questions\n OInd concerns about travel screening. An individual hOls the additionOlI option of subm itting a request for correction\n directly with the DHS Chief Privacy Officer. Recognizing that certain DHS functions OI re law enforcement or national\n secu r ity sensitive, DHS will not always collect information directly from the individual o r permit OIccess to OInd/or\n correction of records through the FOIA/PrivOlcy Act process. In these cases, the Department provides notice through the\n relevant system Privacy Act exemption(s). and t hro ugh response to related inquiries.\n\n Purpose Specification\n DHS articulates the legal authority that permits the collection of PI! as well as the purpose or purposes for which the PI!\n is intended to be used in its PIAs and SORNs. As part of the pri vacy compliance process, a program must be able to\n OIrticulate the need for a particular collection of information with an appropriOlte legal authority and purpose\n justifica tion.\n\n\n\n\n              Website: www.dhs.gov/privacy         Email: privacy@dhs.gov      Phone: 703-235-0780\n\n\n\n\n                              U.S. Customs and Border Protection Privacy Stewardship\n\n\n                                                           Page 35\n\n\x0cAppendix H\nDHS Fair Information Practice Principles at Work\n\n\n\n\n Data Minimization\n DHS seeks to min imize its co llection of PII th rough its privacy compliance processes in two ways. First, the DHS Privacy\n Office works with the Office of the Chief Information Office r on the Paperwork Reduct ion Act process that seeks to\n minimize the collection of information, including PI! from the public. Second, PIAs and SORNs require that data\n elements be ing collected are both releva nt and necessary for the stated pu rpose of the system. DHS places a special\n emphasis on reducing the use of Socia l Security numbers (SS Ns). DHS does not collect SSNs unless there is a va lid\n authority for the ir collect ion.\n\n Use limitation\n DHS limits its uses of PII to those that are permissible under law, a nd articulated in published PIAs and SORNs. Uses may\n include sharing both inside and outside of DHS. Within the Departme nt, use of PII is limited to personnel who have an\n authorized need-to-know fo r the information. For external s haring, these uses are lega lly defined "routine uses," and\n must be compatible with the original collection and purpose specification. Abse nt a statutory requirement to disclose\n specific information, such routine use sha ring decisions are made followin g a case-by-case review by the DHS Privacy\n Office to e nsure a request meets the requi rements. Sharing PH with externa l entities is done pursuant to routi ne uses\n articulated in published SORNs and may also be authorized by a written information sharing agreement, such as a\n Memorandum of Understanding, betwee n the Department and the receiving agency.\n\n Data Quality and Integrity\n To ens ure data quality, DHS collects information directly from the individua l where pract icable, especia lly in be nefit\n administra tion function s. Recognizing data errors occur, DHS ha s implemented redress mechanisms that enable\n ind ividuals to seek access and correction of their in fo rmation through t he FOIA/Privacy Act process, as described above.\n Trave lers who experie nce difficulties may also seek redress through DHS TRIP.\n\n Security\n Si nce privacy and security are complementary, DHS Priva cy Office works closely with the Office of the Chief Information\n Officer and the Chief Information Security Office r to ensure that security controls are put in place in rr systems that are\n commensurate with the sensitivity of the information they hold . Privacy requ ire ments are built into the DHS Sensitive\n System s Security Policy to safeguard PII from inappropriate, unauthorized, o r unlawful access, use, disclosure, or\n destruction. By law, such systems must be certified as meeting releva nt security standard s. System and program\n managers are required to complete a Privacy Threshold Analysis, as well as a PIA and SORN, if applicable, befo re an IT\n system becomes operational.\n\n Accountabi lity and Auditing\n DHS\' privacy protections are subject to oversight by its Ch ief Privacy Officer and Inspector General as well as by the\n Governmen t Accountability Office and the U.S. Congress. In addition to t hese oversight mechanisms, component\n privacy officers, system owners, and program managers impleme nt acco untability in their systems and programs\n through activities such as periodic review of audit logs to ensu re that uses of PII are co nsistent with the purposes\n articulated for the collection of that information, as required by the Privacy Act. Further, as public documents, PIAs and\n SORNs not only demonstrate transparency but also serve as means by which the public can ho ld the Department\n accountable for its col lectio n, use, and sharing of PII.\n\n June 2011\n\n\n\n\n               Website: www. dhs.gov/privacy        Email : privacy@dhs.gov    Phone: 703-235-0780\n\n\n\n\n                             U.S. Customs and Border Protection Privacy Stewardship\n\n\n                                                           Page 36\n\n\x0cAppendix I\nMajor Contributors to this Report\n\n                    Marj Leaming, Director\n                    Eun Suk Lee, Lead Privacy Auditor\n                    Kevin Mullinix, Program Analyst\n                    Steven Tseng, Management and Program Assistant\n                    Ernest Bender, Referencer\n\n\n\n\n                   U.S. Customs and Border Protection Privacy Stewardship\n\n                                          Page 37\n\x0cAppendix J\nReport Distribution\n\n                      Department of Homeland Security\n\n                      Secretary\n                      Deputy Secretary\n                      Chief of Staff\n                      Deputy Chief of Staff\n                      General Counsel\n                      Executive Secretariat\n                      Director, GAO/OIG Liaison Office\n                      Assistant Secretary for Office of Policy\n                      Assistant Secretary for Office of Public Affairs\n                      Assistant Secretary for Office of Legislative Affairs\n                      Commissioner of CBP\n                      DHS Privacy Office\n                      CBP Audit Liaison Office\n                      CBP Privacy Officer\n\n                      Office of Management and Budget\n\n                      Chief, Homeland Security Branch\n                      DHS OIG Budget Examiner\n\n                      Congress\n\n                      Congressional Oversight and Appropriations Committees, as\n                      appropriate\n\n\n\n\n                      U.S. Customs and Border Protection Privacy Stewardship\n\n\n                                             Page 38\n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General\n(OIG) at (202)254-4100, fax your request to (202)254-4305, or e-mail your request to\nour OIG Office of Public Affairs at DHS-OIG.OfficePublicAffairs@dhs.gov. For\nadditional information, visit our OIG website at www.oig.dhs.gov or follow us on Twitter\n@dhsoig.\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal\nor noncriminal misconduct relative to Department of Homeland Security programs and\noperations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202)254-4292\n\n\xe2\x80\xa2 E-mail us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n        DHS Office of Inspector General/MAIL STOP 2600,\n        Attention: Office of Investigation - Hotline,\n        245 Murray Drive SW, Building 410\n        Washington, DC 20528\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'